hjt log

scottpaugh · 02-28-2005, 08:41 AM

I'm pretty new at using hjt. Could someone please loo at this log & tell me what I need to do? Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 9:59:18 AM, on 2/28/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\SNA\system\snabase.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\SKDAEMON.EXE
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\WINNT\System32\SKSMAILD.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Photo Manager\Monitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\winnt\system32\xqqvbm.exe
c:\winnt\system32\packager.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINNT\msagent\AgentSvr.exe
C:\Program Files\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://mailsrv.rcbhsc.wvu.edu/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = uhc-proxy:80
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SDWin32 Class - {36B215CB-285F-495D-A06B-367ABEF20D46} - C:\WINNT\system32\zyfrw.dll
O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINNT\system32\AUNBHO.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: CleanMyPC Popup Blocker - {7A9BC6B1-7F27-47c6-A66D-13582E81E537} - C:\Program Files\CleanMyPC Popup Blocker\CleanBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: SDWin32 Class - {FE23A7E9-5207-48EC-B025-55EED84AFD31} - C:\WINNT\system32\ylowm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: CleanMyPC Toolbar - {04164EC4-1E48-4279-818E-3721931E7636} - C:\Program Files\CleanMyPC Popup Blocker\CleanBar.dll
O4 - HKLM\..\Run: [xqqvbm] c:\winnt\system32\xqqvbm.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd Daemon] SKDAEMON.EXE
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCDRealtime] C:\WINNT\realtime.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [zyfrwc] C:\WINNT\system32\zyfrwc.exe
O4 - HKLM\..\Run: [ylowmc] C:\WINNT\system32\ylowmc.exe
O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Photo Manager Monitor.lnk = C:\Program Files\Photo Manager\Monitor.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (eAssist NetAgent Customer ActiveX Control version 3) - http://www.cabeagent.com/netagent/objects/custappx3.CAB
O16 - DPF: {38481807-CA0E-42D2-BF39-B33AF135CC4D} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {AAF15A90-F3EC-4FEE-9A00-F65B25B83D05} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {AB0E6E3B-4C96-48D8-A3FF-3235B524B7F9} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0011.exe
O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - http://nt-avm1.wvuh.wvuhs.com/idxweb...IDXBrowser.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...32/mcfscan.cab
O16 - DPF: {FDC7A535-4070-4B92-A0EA-D9994BCC0DC5} - http://activex.microsoft.com/objects/ocget.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wvuh.wvuhs.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wvuh.wvuhs.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wvuh.wvuhs.com
O18 - Protocol: smscrd - {FA3F5003-93D4-11D2-8E48-00A0C98BD8C3} - c:\smsadmin\bin\i386\sms_mcrd.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: HEAT Business Rule Monitor (Business Rule Monitor) - FrontRange Solutions - C:\Program Files\HEAT\BRMService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: HEAT FLS Text Search Service (TextSearchService) - FrontRange Solutions - C:\Program Files\HEAT\TextSearchService.exe

CTSNKY · 02-28-2005, 01:54 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Just follow the instructions on the site to run the online scan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

c:\winnt\system32\xqqvbm.exe

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll
O2 - BHO: SDWin32 Class - {36B215CB-285F-495D-A06B-367ABEF20D46} - C:\WINNT\system32\zyfrw.dll
O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINNT\system32\AUNBHO.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SDWin32 Class - {FE23A7E9-5207-48EC-B025-55EED84AFD31} - C:\WINNT\system32\ylowm.dll
O4 - HKLM\..\Run: [xqqvbm] c:\winnt\system32\xqqvbm.exe
O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe
O4 - HKLM\..\Run: [zyfrwc] C:\WINNT\system32\zyfrwc.exe
O4 - HKLM\..\Run: [ylowmc] C:\WINNT\system32\ylowmc.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINNT\BTGrab.dll
C:\WINNT\farmmext.exe
C:\WINNT\system32\zyfrwc.exe
C:\WINNT\system32\ylowmc.exe
C:\WINNT\system32\zyfrw.dll
C:\WINNT\system32\AUNBHO.dll
C:\WINNT\system32\ylowm.dll
c:\winnt\system32\xqqvbm.exe

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

scottpaugh · 03-01-2005, 06:58 AM

Thanks for the help! Everything seems to be running smoothly now. Here's a copy of my latest log.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 2/10/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 8:50:17 AM, on 3/1/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\SNA\system\snabase.exe
C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\WINNT\system32\SKDAEMON.EXE
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\WINNT\system32\ICO.EXE
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\WINNT\system32\Pelmiced.exe
C:\WINNT\System32\SKSMAILD.EXE
C:\Program Files\Photo Manager\Monitor.exe
C:\Program Files\hijack this\HijackThis.exe
C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://mailsrv.rcbhsc.wvu.edu/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1339
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [Hot Key Kbd Daemon] SKDAEMON.EXE
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [PCDRealtime] C:\WINNT\realtime.exe
O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - Global Startup: Photo Manager Monitor.lnk = C:\Program Files\Photo Manager\Monitor.exe
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (eAssist NetAgent Customer ActiveX Control version 3) - http://www.cabeagent.com/netagent/objects/custappx3.CAB
O16 - DPF: {38481807-CA0E-42D2-BF39-B33AF135CC4D} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {AAF15A90-F3EC-4FEE-9A00-F65B25B83D05} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {AB0E6E3B-4C96-48D8-A3FF-3235B524B7F9} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0011.exe
O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - http://nt-avm1.wvuh.wvuhs.com/idxweb...IDXBrowser.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...32/mcfscan.cab
O16 - DPF: {FDC7A535-4070-4B92-A0EA-D9994BCC0DC5} - http://activex.microsoft.com/objects/ocget.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wvuh.wvuhs.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wvuh.wvuhs.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wvuh.wvuhs.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: HEAT Business Rule Monitor (Business Rule Monitor) - FrontRange Solutions - C:\Program Files\HEAT\BRMService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: HEAT FLS Text Search Service (TextSearchService) - FrontRange Solutions - C:\Program Files\HEAT\TextSearchService.exe

End of KRC HijackThis Analyzer Log.
====================================================================

greyknight17 · 03-01-2005, 11:53 AM

Check and fix these also:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0011.exe
O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - http://nt-avm1.wvuh.wvuhs.com/idxwe.../IDXBrowser.cab

Delete this file if it still exists -> C:\WINNT\farmmext.ini

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial (http://www.greyknight17.com/spyware.htm#prevent) and use the tools provided.

Are there any problems now? If not, you should be set to go.

scottpaugh · 03-02-2005, 07:03 AM

No problems at all now. Thanks for all your help!

02-28-2005, 08:41 AM	#1 (permalink)
scottpaugh Registered User Join Date: Feb 2005 Posts: 3 OS: win2k pro	hjt log I'm pretty new at using hjt. Could someone please loo at this log & tell me what I need to do? Thanks! Logfile of HijackThis v1.99.1 Scan saved at 9:59:18 AM, on 2/28/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE C:\WINNT\System32\svchost.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\SNA\system\snabase.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe C:\WINNT\System32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\System32\hkcmd.exe C:\WINNT\system32\SKDAEMON.EXE C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe C:\WINNT\System32\SKSMAILD.EXE C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\Photo Manager\Monitor.exe C:\Program Files\Internet Explorer\iexplore.exe c:\winnt\system32\xqqvbm.exe c:\winnt\system32\packager.exe C:\WINNT\system32\notepad.exe C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE C:\WINNT\msagent\AgentSvr.exe C:\Program Files\hijack this\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.msn.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://mailsrv.rcbhsc.wvu.edu/proxy.pac R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = uhc-proxy:80 R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O1 - Hosts: comments (such as these) may be inserted on individual O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: SDWin32 Class - {36B215CB-285F-495D-A06B-367ABEF20D46} - C:\WINNT\system32\zyfrw.dll O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINNT\system32\AUNBHO.dll O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) O2 - BHO: CleanMyPC Popup Blocker - {7A9BC6B1-7F27-47c6-A66D-13582E81E537} - C:\Program Files\CleanMyPC Popup Blocker\CleanBHO.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: SDWin32 Class - {FE23A7E9-5207-48EC-B025-55EED84AFD31} - C:\WINNT\system32\ylowm.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: CleanMyPC Toolbar - {04164EC4-1E48-4279-818E-3721931E7636} - C:\Program Files\CleanMyPC Popup Blocker\CleanBar.dll O4 - HKLM\..\Run: [xqqvbm] c:\winnt\system32\xqqvbm.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [Hot Key Kbd Daemon] SKDAEMON.EXE O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PCDRealtime] C:\WINNT\realtime.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [zyfrwc] C:\WINNT\system32\zyfrwc.exe O4 - HKLM\..\Run: [ylowmc] C:\WINNT\system32\ylowmc.exe O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Photo Manager Monitor.lnk = C:\Program Files\Photo Manager\Monitor.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (eAssist NetAgent Customer ActiveX Control version 3) - http://www.cabeagent.com/netagent/objects/custappx3.CAB O16 - DPF: {38481807-CA0E-42D2-BF39-B33AF135CC4D} - http://activex.microsoft.com/objects/ocget.dll O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {AAF15A90-F3EC-4FEE-9A00-F65B25B83D05} - http://activex.microsoft.com/objects/ocget.dll O16 - DPF: {AB0E6E3B-4C96-48D8-A3FF-3235B524B7F9} - http://activex.microsoft.com/objects/ocget.dll O16 - DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} - http://activex.microsoft.com/objects/ocget.dll O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0011.exe O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - http://nt-avm1.wvuh.wvuhs.com/idxweb...IDXBrowser.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...32/mcfscan.cab O16 - DPF: {FDC7A535-4070-4B92-A0EA-D9994BCC0DC5} - http://activex.microsoft.com/objects/ocget.dll O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wvuh.wvuhs.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wvuh.wvuhs.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wvuh.wvuhs.com O18 - Protocol: smscrd - {FA3F5003-93D4-11D2-8E48-00A0C98BD8C3} - c:\smsadmin\bin\i386\sms_mcrd.dll O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: HEAT Business Rule Monitor (Business Rule Monitor) - FrontRange Solutions - C:\Program Files\HEAT\BRMService.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: HEAT FLS Text Search Service (TextSearchService) - FrontRange Solutions - C:\Program Files\HEAT\TextSearchService.exe

02-28-2005, 01:54 PM	#2 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Just follow the instructions on the site to run the online scan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): c:\winnt\system32\xqqvbm.exe Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O1 - Hosts: comments (such as these) may be inserted on individual O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll O2 - BHO: SDWin32 Class - {36B215CB-285F-495D-A06B-367ABEF20D46} - C:\WINNT\system32\zyfrw.dll O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINNT\system32\AUNBHO.dll O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) O2 - BHO: SDWin32 Class - {FE23A7E9-5207-48EC-B025-55EED84AFD31} - C:\WINNT\system32\ylowm.dll O4 - HKLM\..\Run: [xqqvbm] c:\winnt\system32\xqqvbm.exe O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe O4 - HKLM\..\Run: [zyfrwc] C:\WINNT\system32\zyfrwc.exe O4 - HKLM\..\Run: [ylowmc] C:\WINNT\system32\ylowmc.exe Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINNT\BTGrab.dll C:\WINNT\farmmext.exe C:\WINNT\system32\zyfrwc.exe C:\WINNT\system32\ylowmc.exe C:\WINNT\system32\zyfrw.dll C:\WINNT\system32\AUNBHO.dll C:\WINNT\system32\ylowm.dll c:\winnt\system32\xqqvbm.exe Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. __________________ GO BIG BLUE!!

03-01-2005, 06:58 AM	#3 (permalink)
scottpaugh Registered User Join Date: Feb 2005 Posts: 3 OS: win2k pro	results log....Thanks! Thanks for the help! Everything seems to be running smoothly now. Here's a copy of my latest log. ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 2/10/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\interMute\SpySubtract\SpySub.exe O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 8:50:17 AM, on 3/1/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE C:\SNA\system\snabase.exe C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe C:\WINNT\system32\SKDAEMON.EXE C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE C:\WINNT\system32\ICO.EXE C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe C:\WINNT\system32\Pelmiced.exe C:\WINNT\System32\SKSMAILD.EXE C:\Program Files\Photo Manager\Monitor.exe C:\Program Files\hijack this\HijackThis.exe C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.msn.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://mailsrv.rcbhsc.wvu.edu/proxy.pac R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1339 R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O4 - HKLM\..\Run: [Hot Key Kbd Daemon] SKDAEMON.EXE O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE O4 - HKLM\..\Run: [PCDRealtime] C:\WINNT\realtime.exe O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup O4 - Global Startup: Photo Manager Monitor.lnk = C:\Program Files\Photo Manager\Monitor.exe O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (eAssist NetAgent Customer ActiveX Control version 3) - http://www.cabeagent.com/netagent/objects/custappx3.CAB O16 - DPF: {38481807-CA0E-42D2-BF39-B33AF135CC4D} - http://activex.microsoft.com/objects/ocget.dll O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {AAF15A90-F3EC-4FEE-9A00-F65B25B83D05} - http://activex.microsoft.com/objects/ocget.dll O16 - DPF: {AB0E6E3B-4C96-48D8-A3FF-3235B524B7F9} - http://activex.microsoft.com/objects/ocget.dll O16 - DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} - http://activex.microsoft.com/objects/ocget.dll O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0011.exe O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - http://nt-avm1.wvuh.wvuhs.com/idxweb...IDXBrowser.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...32/mcfscan.cab O16 - DPF: {FDC7A535-4070-4B92-A0EA-D9994BCC0DC5} - http://activex.microsoft.com/objects/ocget.dll O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wvuh.wvuhs.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wvuh.wvuhs.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wvuh.wvuhs.com O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: HEAT Business Rule Monitor (Business Rule Monitor) - FrontRange Solutions - C:\Program Files\HEAT\BRMService.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: HEAT FLS Text Search Service (TextSearchService) - FrontRange Solutions - C:\Program Files\HEAT\TextSearchService.exe End of KRC HijackThis Analyzer Log. ====================================================================

03-01-2005, 11:53 AM	#4 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Check and fix these also: R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0011.exe O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - http://nt-avm1.wvuh.wvuhs.com/idxwe.../IDXBrowser.cab Delete this file if it still exists -> C:\WINNT\farmmext.ini Your log is clean. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial (http://www.greyknight17.com/spyware.htm#prevent) and use the tools provided. Are there any problems now? If not, you should be set to go. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

03-02-2005, 07:03 AM	#5 (permalink)
scottpaugh Registered User Join Date: Feb 2005 Posts: 3 OS: win2k pro	No Problems No problems at all now. Thanks for all your help!